Add web frontend with JWT auth, RBAC, SSE dashboard, and config editor

- FastAPI + htmx + Jinja2 web frontend, started with --web flag
- JWT HS256 auth (WEB_SECRET_KEY) with httpOnly cookies; access (15 min) +
  refresh (7 day) tokens; refresh rotation + JTI revocation in data/web.db
- RBAC: superadmin > admin > reader enforced per route
- Live SSE dashboard fed by tui/events broadcast queue
- Config editor: keyword groups and channel list saved to data/runtime_config.json
  and hot-reloaded in-process (scorer.reload_from_config, signal_channel_changed)
- config.py migrated to load groups/channels from runtime_config.json;
  falls back to hardcoded defaults when file absent
- tui/events.py: subscribe/unsubscribe broadcast, set_bot_context/signal_channel_changed
- utils/scorer.py: import config as _config (fixes local binding); reload_from_config()
- utils/database.py: count_by_severity, recent_for_domains, count_by_severity_for_domains
- 53 new tests (events bus, JWT lifecycle, web DB CRUD, RBAC enforcement,
  config round-trip); total 141 passing

utils/database.py

@@ -144,6 +144,51 @@ def by_severity(severity: str) -> list[sqlite3.Row]:
         """, (severity,)).fetchall()
 
 
+def recent_for_domains(patterns: list[str], limit: int = 100) -> list[sqlite3.Row]:
+    """Return recent hits whose `raw` field matches any of the given regex-like patterns."""
+    if not patterns:
+        return []
+    conditions = " OR ".join("raw LIKE ?" for _ in patterns)
+    args = [f"%{p.replace(r'\.','.').replace('@','').replace('^','').replace('$','')}%" for p in patterns]
+    args.append(limit)
+    with _connect() as conn:
+        return conn.execute(
+            f"SELECT * FROM hits WHERE ({conditions}) ORDER BY timestamp DESC LIMIT ?",
+            args,
+        ).fetchall()
+
+
+def count_by_severity_for_domains(patterns: list[str]) -> dict:
+    """Severity counts filtered to hits matching any of the given patterns."""
+    if not patterns:
+        return {"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "LOW": 0}
+    conditions = " OR ".join("raw LIKE ?" for _ in patterns)
+    args = [f"%{p.replace(r'\.','.').replace('@','').replace('^','').replace('$','')}%" for p in patterns]
+    with _connect() as conn:
+        rows = conn.execute(
+            f"SELECT severity, COUNT(*) FROM hits WHERE ({conditions}) GROUP BY severity",
+            args,
+        ).fetchall()
+    counts = {"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "LOW": 0}
+    for row in rows:
+        if row[0] in counts:
+            counts[row[0]] = row[1]
+    return counts
+
+
+def count_by_severity() -> dict:
+    """Overall severity counts (unique hits only)."""
+    with _connect() as conn:
+        rows = conn.execute(
+            "SELECT severity, COUNT(*) FROM hits WHERE seen_before=0 GROUP BY severity"
+        ).fetchall()
+    counts = {"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "LOW": 0}
+    for row in rows:
+        if row[0] in counts:
+            counts[row[0]] = row[1]
+    return counts
+
+
 def stats() -> dict:
     """Return summary statistics."""
     with _connect() as conn:

utils/scorer.md

@@ -72,16 +72,20 @@ The URL field handles two common stealer-log complications:
 
 ---
 
-## Module-level globals (rebuilt on import + via KeywordsScreen)
+## Module-level globals (rebuilt on import + via reload_from_config)
 
 | Name | Type | Description |
 |------|------|-------------|
 | `EMPLOYEE_DOMAINS` | `list[tuple[str, Pattern]]` | `(domain_str, anchored_pattern)` for `@`-keywords |
 | `ORG_DOMAINS` | `list[Pattern]` | Plain domain patterns for all keywords |
 
+scorer uses `import config as _config` (not `from config import TARGET_KEYWORDS`), so patching `config.TARGET_KEYWORDS` at runtime is sufficient — `_build_*` reads the live module attribute.
+
 To rebuild after editing `config.TARGET_KEYWORDS` at runtime:
 ```python
 import utils.scorer as scorer
-scorer.EMPLOYEE_DOMAINS = scorer._build_employee_domains()
-scorer.ORG_DOMAINS      = scorer._build_org_domains()
+scorer.reload_from_config()
 ```
+
+### `reload_from_config() -> None`
+Rebuilds `EMPLOYEE_DOMAINS` and `ORG_DOMAINS` from the current `config.TARGET_KEYWORDS`. Called by web config routes after `config.save_runtime_config()` writes new keyword groups.

utils/scorer.py

@@ -30,7 +30,7 @@ Each scored hit gets a dict with:
 import re
 import logging
 from dataclasses import dataclass, field
-from config import TARGET_KEYWORDS
+import config as _config
 
 log = logging.getLogger(__name__)
 
@@ -124,7 +124,7 @@ def _build_employee_domains() -> list[tuple[str, re.Pattern]]:
     Returns list of (domain_str, compiled_pattern) tuples.
     """
     patterns = []
-    for kw in TARGET_KEYWORDS:
+    for kw in _config.TARGET_KEYWORDS:
         if "@" in kw:
             domain = _kw_to_domain(kw)
             if domain:
@@ -144,7 +144,7 @@ def _build_org_domains() -> list[re.Pattern]:
     Checks that the org domain appears anywhere in the line.
     """
     patterns = []
-    for kw in TARGET_KEYWORDS:
+    for kw in _config.TARGET_KEYWORDS:
         domain = _kw_to_domain(kw)
         if domain:
             patterns.append(re.compile(re.escape(domain), re.IGNORECASE))
@@ -153,6 +153,16 @@ def _build_org_domains() -> list[re.Pattern]:
 ORG_DOMAINS = _build_org_domains()
 
 
+def reload_from_config() -> None:
+    """
+    Rebuild EMPLOYEE_DOMAINS and ORG_DOMAINS from the current config.TARGET_KEYWORDS.
+    Call after save_runtime_config() updates the keyword list.
+    """
+    global EMPLOYEE_DOMAINS, ORG_DOMAINS
+    EMPLOYEE_DOMAINS = _build_employee_domains()
+    ORG_DOMAINS      = _build_org_domains()
+
+
 
 # ─── Scoring logic ────────────────────────────────────────────────────────────